All Posts in Policies and Procedures

|In: Organizational Effectiveness|Last Updated:

Which would you rather have? Employees who:

1. Do what’s best for the business. Or,

2. Follow all policies and procedures.

What’s that? Breaking the rules is bad for the business? Sure — I read about a company like that once. In a work of fiction.

Even the best policies are one-size-fits-many solutions to anticipated situations. They don’t always fit the world as it actually happens. When a company places too much emphasis on its policy manual, it’s a stifling, choking bureaucracy. Count on it.

That doesn’t mean employees should ignore the rules whenever they’re inconvenient, though. Unless, that is, your business model requires utter chaos, and not everyone runs an advertising agency.

Striking the proper balance is far from easy. Still, I’m pretty sure that making every policy violation a firing offense is about as sensible as making jaywalking a felony.

Which brings us back to desktop lockdown and information security in general.

Last week’s column laid out some steps you can take to improve security. Desktop lockdown was conspicuous by its absence, which led a number of readers to conclude that I favor leaving PCs wide open, so end-users can do whatever they want. That’s far from the case.

I covered this ground ten years ago, in the original “End-user Computing Manifesto.” It’s overdue for an update. Here goes:

Purchased Applications

  • Where IT has established a standard, end-users must accept it. If you’ve settled on Microsoft Office, for example, nobody has the right to insist on StarOffice instead, any more than they can insist on using a different voice mail system from the rest of the company. IT will, however, find out what it is about the official application that makes it so seriously deficient that buying an alternative seemed like a good idea.
  • Where IT hasn’t established a standard, the right of end-users to purchase and install software depends on the nature of their jobs.Some procedure-driven jobs have tight boundaries. PCs just happen to be the programmable platform IT gives employees to run the fixed set of applications that drive the process. Lock these PCs down tight.Other jobs require flexibility, innovation, and an emphasis on goals over technique. Give employees in these jobs more latitude. When in doubt, the business manager makes the call, not IT.

    Exception: IT will maintain a “blacklist” of disallowed software that’s known to contain either malware, serious security holes, or severe bugs. Automated software inventory tools will regularly scan PCs to detect newly installed software, and IT will research any new packages to determine whether they should be added to the blacklist.

  • IT promises no support for end-user-installed software, but may choose to help out as time and staff are available.
  • IT will never say, “We don’t provide this kind of tool and we won’t let you buy it either.”
  • If a PC goes haywire, IT will recover its data if possible, and restore it to a standard build.
  • End-users will never be given administrative access to a shared resource that’s maintained by IT.

End-user Development

  • IT will provide suitable tools and support for end-user software development.
  • IT will never say, “We won’t build it for you, and we won’t let you build it for yourself either.”
  • If an end-user develops an application that is redundant to an existing IT-supplied application, IT will give that employee’s manager the old hairy eyeball. It will also find out what about the official application is so seriously deficient that building an alternative seemed like a good idea.
  • Responsibility for the accuracy and integrity of applications developed (or purchased) without IT’s involvement is the responsibility of the business manager. IT will provide training for business managers on how to manage small-scale application development and maintenance.
  • IT and internal audit will provide consulting and review services for end-user-developed applications, if requested, or if the situation demands it.

Other Stuff

  • End-users may only upload information into production databases through audited validation programs provided by IT for that purpose.
  • IT will provide secure, convenient facilities for remote network access. End-users may never, under any circumstances, install and use their own.
  • End-users are not allowed to install software that tunnels through open firewall ports to bypass IT security.

If this strikes you as too permissive, imagine you discover that your employer’s top sales representative — the one who personally brings in a quarter of the company’s new accounts — installed Act! on his company laptop in violation of policy. Which is the right answer: Firing his sorry behind?

Or buying copies for all the other sales reps?

Comments

|In: Industry Commentary|Last Updated:

I got into a bit of an altercation in one of this week’s Advice Line postings. It was in response to an exceptionally snide episode of Roger Grimes’ Security Advisor column in InfoWorld. According to Roger, there is exactly one way that all companies should manage desktop computing, and that’s to lock all PCs down tight.

Roger hauled out all of the expected arguments: End-users are, to paraphrase, lazy slackers who will install anything so long as it has nothing to do with their jobs. One of his examples was GotoMyPC, which allows them to work from home (I’m not making this up) which gives you an idea of why I felt compelled to offer a critique.

To be fair, in other columns Roger has pointed out that in order for a total lockdown strategy to succeed, IT has to become highly responsive so that end-users can get the tools they need to do their work quickly and without a lot of fuss. Amen to that.

Roger also makes a useful point — that the nature of malware has changed, from attempts to shut you down to attempts to steal information. His conclusion — that the risk, in consequence, is now much higher — is questionable, akin to claiming that because bad guys now want to pick my pocket instead of whacking me on the noggin, I’m in more danger. But the shift in emphasis is nonetheless important to you as you formulate your security tactics.

Highly responsive IT coupled with total lockdown is one way to start securing the enterprise from information thieves, but it’s far from the only one and it’s sadly lacking in many important respects. It doesn’t, for example, protect your information assets, except from a specific type of threat.

Many are pointing to the theft of a Veterans Administration laptop computer that had a huge number of veterans’ social security numbers as evidence of the need for tighter security. That total lockdown wouldn’t have helped doesn’t seem to faze many of those who haul out this example.

Frank Hayes has written about this extensively, and his point is right on the money (as usual): The solution is to not put social security numbers, or credit card information, or any other highly sensitive but unneeded data field, into any downloaded data. If you don’t have it, nobody can steal it.

Next, encrypt all sensitive data fields. If an intruder or disgruntled employee downloads gibberish, there’s no harm done, and taking names, addresses and telephone numbers results in minor inconveniences, not identity theft.

Third, pay attention to physical security. Securing PCs might be fun, but it does little good if anyone can sit down at a desk in Payroll, after the employees have gone to lunch but before the login has timed out.

Fourth, institute disciplined procedures for identity management — for employee on-boarding, transfers, and departures. This helps ensure that employees only have access to the data they need, not all data they ever needed in all roles they ever held. If an employee doesn’t have access to sensitive data in the first place, malware on that employee’s desktop is less likely to transfer sensitive data outside the corporate firewall.

Fifth (of course): Install malware prevention on every desktop and keep it up to date. There is no shortage of choices, and all will do an excellent job of blocking most intrusions.

And sixth, go beyond being responsive. Anticipate what employees are likely to need and make it available … easily and without red tape. In various places in the company are employees who will be more effective if they can make use of: Digital cameras, MP3 players, a work-from-home solution, a work-from-hotel-rooms solution, PDAs/Treos/Blackberries, a real Personal Information Manager, Google Desktop, Instant Messaging, and a PDF writer (as just a few examples).

Don’t believe me? Property Management uses the cameras to document site visits. An increasing number of employees listen to podcasts while commuting. I’ve lost track of how many times Google Desktop has found files I’ve lost track of. Just for starters.

Few employees “need” these things. Need is a poor measure, though. Providing tools that make work incrementally easier is a good investment of your time and energy. That’s because, while there is no magical demarcation point, a pile of incremental improvements turns into a qualitative change. The proper test is always value, not need.

Want to make sure employees don’t install software on their own? There’s an easier and better solution than totally locking down their desktop and laptop computers.

That’s beating them to the punch.

Comments